The European Union’s (EU) General Data Protection Regulation came into effect on 25 May, giving European citizens more control over their data that's collected by online service providers.
Within 24 hours of the GDPR coming into force, the media reported that an Austrian privacy-advocacy group Noyb.eu had filed lawsuits worth $8.8 billion against tech giants Google, Facebook and Facebook-owned companies WhatsApp and Instagram.
The group said the companies’ updated privacy policies are not adequate for GDPR compliance, and the consent terms have a “take it or leave it” approach, which essentially force users to accept their allegedly intrusive conditions, else services will be discontinued.
Whether or not the claims hold true before the European regulators, the case does underscore the risks companies face globally today under the GDPR, especially when dealing with personal data of EU citizens.
Impact on Indian organisations
The European law can affect organisations across the globe dealing with personal data of EU citizens. Thus, an Indian organisation that collects and processes data of EU citizens can get affected by the GDPR.
Going by statistics, the EU is a key market for the Indian IT-BPO industry as well as for tech startups, and yet most Indian companies are still not compliant with the GDPR.
The penalties that companies are exposed to under the GDPR are as high as 4% of annual worldwide turnover in the preceding financial year or 20 million euros, whichever is higher. Apart from the financial implication and reputational risk, Indian companies also risk losing EU business if they aren’t GDPR-compliant.
Personal data and privacy rights
The GDPR protects personal data such as name, email address, location data and online identifiers of EU citizens. Data such as racial or ethnic origin, genetic or biometric data have been afforded additional protection under the GDPR.
The GDPR has introduced new privacy rights for individuals, including right to access personal data, right to rectify or withdraw consent, right to be forgotten, and right to data portability.
New compliance under GDPR
The GDPR has made consent requirements stringent. Now, pre-ticked boxes or lengthy consent terms may not remain valid under the GDPR. Consent of an individual for processing his or her personal data will need to be explicit, clear and unambiguous.
Also, any data breaches will now need to be intimated by the organisations to regulatory authorities without undue delay and not later than 72 hours. In high-risk cases, organisations may even have to inform the individuals concerned.
From an organisation’s perspective, the entity will need to implement organisational and technical measures to enable data rights and demonstrate GDPR compliance at all times. Some of the steps that organisations can implement include robust privacy policies, pseudonymisation and encryption of personal data, adoption of privacy principles at the time of product development and implementation, and codes of conduct.
Organisations must review their existing contracts (with vendors, employees, business partners, and any such having EU connection), privacy policies and consent terms to assess whether they meet GDPR requirements or not.
Also, companies outside the EU will need a local representative in EU and data protection officers in certain cases. Records in respect of collection and processing of personal data are mandatory for a company employing more than 250 persons. Since the GDPR has detailed several obligations, organisations need to take immediate steps towards compliance.
Cross-border data transfers
Another critical aspect under the GDPR is provisions for cross-border transfers of data. A large number of Indian companies process data for EU clients.
Going by the GDPR, data can be transferred outside the EU in certain cases, if the third country gives adequate level of data protection, adopts binding corporate rules and standard data-protection clauses, etc.
The EU has not recognised India on the list of countries having adequate level of data protection as yet. Hopefully, the new law in the offing on data privacy in India will meet EU standards.
If India Inc. has to continue its economic growth in the digital domain, the GDPR is a necessary compliance. The new Indian privacy law in the offing may itself be inspired by the GDPR. Therefore, companies should not see the GDPR only as a cost-and-compliance burden. It could, in fact, be a competitive edge.
Supratim Chakraborty and Harsh Walia are associate partners while Shweta Dwivedi is principal associate at law firm Khaitan & Co. LLP. Views are personal.